powered by Jive Software

Using reCAPTCHA over https

Hey folks,

I have a fairly simple request but it’s a rather breaking issue for keeping my jabber server secure and preventing bot registrations:

The registration plugin offers web registration and reCAPTCHA in it, but it only works over unencrypted http. Since people are posting their proposed passwords when registering, it’s important that someone can’t snoop on that.

However, adding the reCAPTCHA challenge doesn’t work over https - Google supports https requests but the registration plugin only supports http.

A simple solution would be to remove the http: protocol header and use a URL similar to:

//api.recaptcha.net/challenge?k=nnnnnnnnnnnnnnnnnn

instead of adding http: – any recent browser will understand a URL with // at the start without a protocol, and will automatically use the protocol that was used previously (http or https). Alternatively, the plugin could check internally which port was used (9090 or 9091)?

1 Like

I have rebuild plugin, problem solved. Corrections:

  1. updated lib “recaptcha4j” to the last version(0.0.8) - this solve problem with old ReCaptcha domain
  2. newReCaptcha method in sing-up.jsp changed to newSecureReCaptcha - whatever you use, 9090 or 9091 - captcha always comes via HTTPS

Now all work fine. Rebuilded registration.jar, just need to upload into Admin Console:

http://www.sendspace.com/file/g1x8mv

P.S.

Sorry for my Eanglish ^)

fx03nix, could we have a patch to fix this up?

daryl

Daryl, you mean commit on github or something like this? Yes, sure.

It will be great, if you give me some kind of example(or link to related faq) - in which format patch should be placed, and where it should be placed ? I’m a newcomer here, sorry if i asked something stupid)

Not a stupid question at all, we don’t have a contribution page setup yet to detail how to git clone, branch, then send a pull request. In general, a unified diff against current development on github would be sufficient.

daryl

Not sure, that i do all correct but:

https://github.com/Fx03nix

2 pull requests - first, for update sing-up.jsp, and second for delete recaptcha4j.jar and replace it with last version. All fine ?

If something not right - please, notify me about this, and i will correct it. It’s my first day on github and second day with Java, so…)

Have a nice day)

Opened http://issues.igniterealtime.org/browse/OF-780 to track.